Due to a bug within the argument parser of the partial
command an argument like "body[p" will be wrongly detected as
"body.peek". Because of this the bufferposition gets increased
by 10 instead of 5 and could therefore point outside the
allocated memory buffer for the rest of the parsing
process. In imapd versions prior to 2.2.7 the handling of
"body" or "bodypeek" arguments was broken so that the
terminating ']' got overwritten by a '\0'. Combined the two
problems allow a potential attacker to overwrite a single byte
of malloc() control structures, which leads to remote code
execution if the attacker successfully controls the heap
layout.

Fix stack buffer overflows in fetchnews (exploitable
by peer news server), backend (exploitable by admin),
and in imapd (exploitable by users though only on
platforms where a filename may be larger than a mailbox
name).

The 2.1.X series are reportedly only affected by the second
issue.

These issues may lead to execution of arbitrary code with
the permissions of the user running the Cyrus IMAP
Server.

Due to a bug within the argument parser of the partial
command an argument like "body[p" will be wrongly detected as
"body.peek". Because of this the bufferposition gets increased
by 10 instead of 5 and could therefore point outside the
allocated memory buffer for the rest of the parsing
process. In imapd versions prior to 2.2.7 the handling of
"body" or "bodypeek" arguments was broken so that the
terminating ']' got overwritten by a '\0'. Combined the two
problems allow a potential attacker to overwrite a single byte
of malloc() control structures, which leads to remote code
execution if the attacker successfully controls the heap
layout.

Fix stack buffer overflows in fetchnews (exploitable
by peer news server), backend (exploitable by admin),
and in imapd (exploitable by users though only on
platforms where a filename may be larger than a mailbox
name).

The 2.1.X series are reportedly only affected by the second
issue.

These issues may lead to execution of arbitrary code with
the permissions of the user running the Cyrus IMAP
Server.

The argument parser of the fetch command suffers a bug very
similiar to the partial command problem. Arguments like
"body[p", "binary[p" or "binary[p" will be wrongly detected
and the bufferposition can point outside of the allocated
buffer for the rest of the parsing process. When the parser
triggers the PARSE_PARTIAL macro after such a malformed
argument was received this can lead to a similiar one byte
memory corruption and allows remote code execution, when the
heap layout was successfully controlled by the attacker.

The argument parser of the fetch command suffers a bug very
similiar to the partial command problem. Arguments like
"body[p", "binary[p" or "binary[p" will be wrongly detected
and the bufferposition can point outside of the allocated
buffer for the rest of the parsing process. When the parser
triggers the PARSE_PARTIAL macro after such a malformed
argument was received this can lead to a similiar one byte
memory corruption and allows remote code execution, when the
heap layout was successfully controlled by the attacker.